Project

General

Profile

duplicheck plugin

The duplicheck plugin provides an advanced but very specialized peer identity duplicate checking. It works independent from the ipsec.conf uniqueids feature.

To enable the plugin, add

--enable-duplicheck
to the ./configure options.

Behavior

The behavior of the duplicheck plugin is as follows:
  • While establishing a new IKE_SA, check if already one exists with the same peer identity
  • If yes:
    • Initiate an IKE_SA delete exchange on the old IKE_SA to liveness check and simultaneously delete it
    • If no response is received after several retransmits to the delete, destroy the old IKE_SA
    • If a response is received:
      • Also delete the newly established IKE_SA
      • Send a notification over a UNIX socket to listening applications (if any)

Configuration

The plugin is configured using the following strongswan.conf options:

Key Default Description
charon.plugins.duplicheck.enable Yes Enable duplicheck functionality
charon.plugins.duplicheck.socket unix://${piddir}/charon.dck Socket provided by the duplicheck plugin

Notifications

If two IKE_SAs exists with the same peer identity, and the old IKE_SA confirmed the triggered delete message, a notification is sent to a listening application over a UNIX or TCP socket (TCP is available since 5.1.0). An example application of a listener is provided with the duplicheck tool. It listens on the socket and receives the affected peer identity.

To integrate notification listening to your application, see source:src/libcharon/plugins/duplicheck/duplicheck.c. You'll have to start a dedicated thread to read from the socket or integrated the file descriptor to your applications main loop.